CloudFront - Editing Origin - Restrict Bucket Access

Question

I have a situation which I am unable to understand easily why and I am not able to find any documentation either.

I have done the following:

1. Created a S3 bucket

2. Given public access to it

3. Enabled it for static website hosting

4. Created a CloudFront distribution to it

5. Enabled HTTPS at cloudfront

Now I am trying to restrict the access of S3 bucket only to CloudFront.

I tried the steps presented at

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Unfortunately, when I tried to edit the origin I don't see all the options in the UI especially Restrict Bucket Access is missing.

I only see options to edit Origin Domain Name, Origin Path, Origin Id (grayedout), Origin Custom Headers - No option to enter OAI or setting Restrict Bucket Access etc.

Is it because of enabling HTTPS?

S3 masters, please help!

Answer 1

For those who have since changed some S3 settings to not be public and intend it to be only retrievable via Cloudfront, it is now there but hidden. You just have to cut copy the value from Origin Domain Name in origin tab and then re-paste it in again (if its the name bucket) and the UI will now render with the Restrict Access input options.

Answer 2

Origin access identities are only applicable when using the S3 REST endpoint (e.g. example-bucket.s3.amazonaws.com) for the bucket -- not when you are using the website hosting endpoint (e.g. example-bucket.s3-website.us-east-2.amazonaws.com), because website hosting endpoints do not support authenticated requests -- they are only for public content... but OAI is an authentication mechanism.

When using the website endpoint, CloudFront does not treat the origin as an S3 Origin -- it is treated as a Custom Origin, and these options are not available, because if they were available, they wouldn't work anyway (for the reason mentioned above).